Reassigning exit internet protocol addresses in a virtual private network server

ABSTRACT

A method for reassigning exit internet protocol (IP) addresses in a virtual private network (VPN), the method comprising activating a first exit IP address for communicating data associated with a user device having an established VPN connection; deactivating, during the established VPN connection, the first exit IP address based at least in part on determining that an amount of data communication associated with the first exit IP address satisfies a data threshold; and activating, during the established VPN connection, a second exit IP address, different from the first exit IP address, for communicating data associated with the user device based at least in part on deactivating the first exit IP address. Various other aspects are contemplated.

FIELD OF DISCLOSURE

Aspects of the present disclosure generally relate to a virtual privatenetwork (VPN), and more particularly to reassigning exit internetprotocol (IP) addresses in a VPN server.

BACKGROUND

Global Internet users increasingly rely on VPN services to preservetheir privacy, to circumvent censorship, and/or to access geo-filteredcontent. Originally developed as a technology to privately send andreceive data across public networks, VPNs are now used broadly as aprivacy-preserving technology that allows Internet users to obscure notonly the communicated data but also personal information such as, forexample, web browsing history from third parties including Internetservice providers (ISPs), Spywares, or the like. A VPN service providermay offer a secure private networking environment within a publiclyshared, insecure infrastructure through encapsulation and encryption ofthe data communicated between a VPN client application (or VPNapplication) installed on a user device and a remote VPN server.

Most VPN providers rely on a tunneling protocol to create the secureprivate networking environment, which adds a layer of security toprotect each IP packet of the communicated data during communicationover the Internet. Tunneling may be associated with enclosing an entireIP packet within an outer IP packet to form an encapsulated IP packet,and transporting the enclosed IP packet over the Internet. The outer IPpacket may protect contents of the enclosed IP packet from public viewby ensuring that the enclosed IP packet is transmitted over the Internetwithin a virtual tunnel. Such a virtual tunnel may be a point-to-pointtunnel established between the user device and the VPN server. Theprocess of enclosing the entire IP packet within the outer IP packet maybe referred to as encapsulation. Computers, servers, or other networkdevices at ends of the virtual tunnel may be referred to as tunnelinterfaces and may be capable of encapsulating outgoing IP packets andof unwrapping incoming encapsulated IP packets.

Encryption may be associated with changing the data from being in atransparently readable format to being in an encoded, unreadable formatwith help of an encryption algorithm. Decryption may be associated withchanging the data from being in the encoded, unreadable format to beingin the transparently readable format with help of a decryptionalgorithm. In an example, encoded/encrypted data may bedecoded/decrypted with only a correct decryption key. In a VPN,encryption may render the communicated data unreadable or indecipherableto any third party. At a basic level, when the user launches theinstalled VPN application and connects to the VPN server, the VPNapplication may encrypt all contents of the data before transmissionover the Internet to the VPN server. Upon receipt, the VPN server maydecrypt the encrypted data and forward the decrypted data to an intendedtarget via the Internet. Similarly, the VPN server may encrypt allcontents of the data before transmission over the Internet to the userdevice. Upon receipt, the VPN application on the user device may decryptthe encrypted data and provide the decrypted data to the user.

VPNs generally use different types of encryption and decryptionalgorithms to encrypt and decrypt the communicated data. Symmetricencryption may utilize encryption and decryption algorithms that rely ona single private key for encryption and decryption of data. Symmetricencryption is considered to be relatively speedy. One example of anencryption and decryption algorithm utilized by symmetric encryption maybe an AES encryption cipher. Asymmetric encryption, on the other hand,may utilize encryption and decryption algorithms that rely on twoseparate but mathematically-related keys for encryption and decryptionof data. In one example, data encrypted using a public key may bedecrypted using a separate but mathematically-related private key. Thepublic key may be publicly available through a directory, while theprivate key may remain confidential and accessible by only an owner ofthe private key. Asymmetric encryption may also be referred to as publickey cryptography. One example of an encryption and decryption algorithmutilized by asymmetric encryption may be Rivest-Shamir-Adleman (RSA)protocol.

In a VPN, keys for encryption and decryption may be randomly generatedstrings of bits. Each key may be generated to be unique. A length of anencryption key may be given by a number of the randomly generated stringbits, and the longer the length of the encryption key, the stronger isthe encryption.

VPNs may employ user authentication, which may involve verification ofcredentials required to confirm authenticity/identity of the user. Forinstance, when a user launches the VPN application to request a VPNconnection, the VPN service provider may authenticate the user deviceprior to providing the user device with access to VPN services. In thisway, user authentication may provide a form of access control.Typically, user authentication may include verification of a uniquecombination of a user ID and password. To provide improved security inthe VPN, user authentication may include additional factors such asknowledge, possession, inheritance, or the like. Knowledge factors mayinclude items (e.g., pin numbers) that an authentic user may be expectedto know. Possession factors may include items (e.g., one-time password(OTP) tokens) that an authentic user may be expected to possess at atime associated with the authentication. Inherent factors may includebiometric items (e.g., fingerprint scans, retina scans, iris scans, orthe like) that may be inherent traits of an authentic user.

A VPN may be associated with a network of VPN servers, typicallydeployed in various geographic locations. A VPN server may be a physicalserver or a virtual server configured to host and/or globally deliverVPN services to the user. A server may be a combination of hardware andsoftware, and may include logical and physical communication ports. Whenlaunched, the VPN application may connect with a selected VPN server forsecure communication of data via the virtual tunnel.

The VPN application, installed on the user device, may utilizesoftware-based technology to establish a secure connection between theuser device and a VPN server. Some VPN applications may automaticallywork in the background on the user device while other VPN applicationsmay include front-end interfaces to allow the user to interact with andconfigure the VPN applications. VPN applications may often be installedon a computer (e.g., user device), though some entities may provide apurpose-built VPN application as a hardware device that is pre-installedwith software to enable the VPN. Typically, a VPN application mayutilize one or more VPN protocols to encrypt and decrypt thecommunicated data. Some commonly used VPN protocols may include OpenVPN,SSTP, PPTP, L2TP/IPsec, SSL/TLS, Wireguard, IKEv2, and SoftEther.

SUMMARY

In one aspect, the present disclosure contemplates a method forreassigning exit internet protocol (IP) addresses in a virtual privatenetwork (VPN), the method comprising activating a first exit IP addressfor communicating data associated with a user device having anestablished VPN connection; deactivating, during the established VPNconnection, the first exit IP address based at least in part ondetermining that an amount of data communication associated with thefirst exit IP address satisfies a data threshold; and activating, duringthe established VPN connection, a second exit IP address, different fromthe first exit IP address, for communicating data associated with theuser device based at least in part on deactivating the first exit IPaddress.

In another aspect, the present disclosure contemplates a deviceassociated with a virtual private network (VPN), the device comprising amemory; and a processor communicatively coupled to the memory, thememory and processor being configured to: activate a first exit IPaddress for communicating data associated with a user device having anestablished VPN connection; deactivate, during the established VPNconnection, the first exit IP address based at least in part ondetermining that an amount of data communication associated with thefirst exit IP address satisfies a data threshold; and activate, duringthe established VPN connection, a second exit IP address, different fromthe first exit IP address, for communicating data associated with theuser device based at least in part on deactivating the first exit IPaddress. In some aspects, the device may include a network card (e.g.,network interface card (NIC)) that may allow the device to connect to anetwork including other devices.

In another aspect, the present disclosure contemplates a non-transitorycomputer readable medium storing instructions, which when executed by aprocessor cause the processor to: activate a first exit IP address forcommunicating data associated with a user device having an establishedVPN connection; deactivate, during the established VPN connection, thefirst exit IP address based at least in part on determining that anamount of data communication associated with the first exit IP addresssatisfies a data threshold; and activate, during the established VPNconnection, a second exit IP address, different from the first exit IPaddress, for communicating data associated with the user device based atleast in part on deactivating the first exit IP address.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory innature and are intended to provide an understanding of the presentdisclosure without limiting the scope thereof. In that regard,additional aspects, features, and advantages of the present disclosurewill be apparent to one skilled in the art from the following detaileddescription.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings illustrate aspects of systems, devices,methods, and/or mediums disclosed herein and together with thedescription, serve to explain the principles of the present disclosure.Throughout this description, like elements, in whatever aspectdescribed, refer to common elements wherever referred to and referencedby the same reference number. The characteristics, attributes,functions, interrelations ascribed to a particular element in onelocation apply to those elements when referred to by the same referencenumber in another location unless specifically stated otherwise.

The figures referenced below are drawn for ease of explanation of thebasic teachings of the present disclosure; the extensions of the figureswith respect to number, position, relationship, and dimensions of theparts to form the following aspects may be explained or may be withinthe skill of the art after the following description has been read andunderstood. Further, exact dimensions and dimensional proportions toconform to specific force, weight, strength, and similar requirementswill likewise be within the skill of the art after the followingdescription has been read and understood.

The following is a brief description of each figure used to describe thepresent disclosure, and thus, is being presented for illustrativepurposes only and should not be limitative of the scope of the presentdisclosure.

FIG. 1 is an illustration of an example system associated withreassigning of exit IP addresses in a VPN server, according to variousaspects of the present disclosure.

FIG. 2 is an illustration of an example system associated withreassigning of exit IP addresses in a VPN server, according to variousaspects of the present disclosure.

FIG. 3 is an illustration of an example flow associated with reassigningof exit IP addresses in a VPN server, according to various aspects ofthe present disclosure.

FIG. 4 is an illustration of an example process associated withreassigning of exit IP addresses in a VPN server, according to variousaspects of the present disclosure.

FIG. 5 is an illustration of an example process associated withreassigning of exit IP addresses in a VPN server, according to variousaspects of the present disclosure.

FIG. 6 is an illustration of an example process associated withreassigning of exit IP addresses in a VPN server, according to variousaspects of the present disclosure.

FIG. 7 is an illustration of example devices associated with reassigningof exit IP addresses in a VPN server, according to various aspects ofthe present disclosure.

DETAILED DESCRIPTION

For the purposes of promoting an understanding of the principles of thepresent disclosure, reference will now be made to the aspectsillustrated in the drawings, and specific language may be used todescribe the same. It will nevertheless be understood that no limitationof the scope of the disclosure is intended. Any alterations and furthermodifications to the described devices, instruments, methods, and anyfurther application of the principles of the present disclosure arefully contemplated as would normally occur to one skilled in the art towhich the disclosure relates. In particular, it is fully contemplatedthat the features, components, and/or steps described with respect toone aspect may be combined with the features, components, and/or stepsdescribed with respect to other aspects of the present disclosure. Forthe sake of brevity, however, the numerous iterations of thesecombinations may not be described separately. For simplicity, in someinstances the same reference numbers are used throughout the drawings torefer to the same or like parts.

FIG. 1 is an illustration of an example system 100 associated withrotating exit IP addresses in a VPN, according to various aspects of thepresent disclosure. Example 100 shows an architectural depiction ofcomponents included in system 100. In some aspects, the components mayinclude a user device 102 capable of communicating with one or more VPNservers 120 and with a VPN service provider (VSP) control infrastructure104 over a network 122. The VSP control infrastructure 104 may becontrolled by a VPN service provider and may include an applicationprogramming interface (API) 106, a user database 108, processing unit110, a server database 116, and the one or more VPN servers 120. Asshown in FIG. 1, the API 106 may be capable of communicating with theuser database 108 and with the processing unit 110. Additionally, theprocessing unit 110 may be capable of communicating with the serverdatabase, which may be capable of communicating with a testing module(not shown). The testing module may be capable of communicating with theone or more VPN servers 120 over the network 122. The processing unit110 may be capable of controlling operation of the one or more VPNservers 120.

The user device 102 may be a physical computing device capable ofhosting a VPN application and of connecting to the network 122. The userdevice 102 may be, for example, a laptop, a mobile phone, a tabletcomputer, a desktop computer, a smart device, a router, or the like. Insome aspects, the user device 102 may include, for example,Internet-of-Things (IoT) devices such as VSP smart home appliances,smart home security systems, autonomous vehicles, smart health monitors,smart factory equipment, wireless inventory trackers, biometric cybersecurity scanners, or the like. The network 122 may be any digitaltelecommunication network that permits several nodes to share and accessresources. In some aspects, the network 122 may include one or more of,for example, a local-area network (LAN), a wide-area network (WAN), acampus-area network (CAN), a metropolitan-area network (MAN), ahome-area network (HAN), Internet, Intranet, Extranet, and Internetwork.

The VSP control infrastructure 104 may include a combination of hardwareand software components that enable provision of VPN services to theuser device 102. The VSP control infrastructure 104 may interface with(the VPN application on) the user device 102 via the API 106, which mayinclude one or more endpoints to a defined request-response messagesystem. In some aspects, the API 106 may be configured to receive, viathe network 122, a connection request from the user device 102 toestablish a VPN connection with a VPN server 120. The connection requestmay include an authentication request to authenticate the user device102 and/or a request for an IP address of an optimal VPN server forestablishment of the VPN connection therewith. In some aspects, anoptimal VPN server may be a single VPN server 120 or a combination ofone or more VPN servers 120. The API 106 may receive the authenticationrequest and the request for an IP address of an optimal VPN server in asingle connection request. In some aspects, the API 106 may receive theauthentication request and the request for an IP address of an optimalVPN server in separate connection requests.

The API 106 may further be configured to handle the connection requestby mediating the authentication request. For instance, the API 106 mayreceive from the user device 102 credentials including, for example, aunique combination of a user ID and password for purposes ofauthenticating the user device 102. In another example, the credentialsmay include a unique validation code known to an authentic user. The API106 may provide the received credentials to the user database 108 forverification.

The user database 108 may include a structured repository of validcredentials belonging to authentic users. In one example, the structuredrepository may include one or more tables containing valid uniquecombinations of user IDs and passwords belonging to authentic users. Inanother example, the structured repository may include one or moretables containing valid unique validation codes associated withauthentic users. The VPN service provider may add or delete such validunique combinations of user IDs and passwords from the structuredrepository at any time. Based at least in part on receiving thecredentials from the API 106, the user database 108 and a processor(e.g., the processing unit 110 or another local or remote processor) mayverify the received credentials by matching the received credentialswith the valid credentials stored in the structured repository. In someaspects, the user database 108 and the processor may authenticate theuser device 102 when the received credentials match at least one of thevalid credentials. In this case, the VPN service provider may provideVPN services to the user device 102. When the received credentials failto match at least one of the valid credentials, the user database 108and the processor may fail to authenticate the user device 102. In thiscase, the VPN service provider may decline to provide VPN services tothe user device 102.

When the user device 102 is authenticated, the user device 102 mayinitiate a VPN connection and may transmit to the API 106 may a requestfor an IP address of an optimal VPN server. The processing unit 110included in the VSP control infrastructure may be configured todetermine/identify a single VPN server 120 as the optimal server or alist of VPN servers. The processing unit 110 may utilize the API 106 totransmit the IP address of the optimal server or IP addresses of the VPNservers 120 included in the list to the user device 102. In the casewhere the list of IP addresses of the VPN servers 120 is provided, theuser device 102 may have an option to select a single VPN server 120from among the listed VPN servers as the optimal server 120. The userdevice 102 may establish a VPN connection (e.g., an encrypted tunnel)with the optimal VPN server. In some aspects, the optimal VPN serverwith which the user device establishes the encrypted tunnel may bereferred to as a primary VPN server or an entry VPN server. In someaspects, a VPN server 120 may be a piece of physical or virtual computerhardware and/or software capable of securely communicating with (the VPNapplication on) the user device 102 for provision of VPN services.

The processing unit 110 may be a logical unit including a scoring engine112. The processing unit 110 may include a logical component configuredto perform complex operations to compute numerical weights related tovarious factors associated with the VPN servers 120. The scoring enginemay likewise include a logical component configured to performarithmetical and logical operations to compute a server penalty scorefor one or more of the VPN servers 120.

In some aspects, based at least in part on server penalty scorescalculated via the complex operations and/or the arithmetical andlogical operations, the processing unit 110 may determine an optimal VPNserver. In one example, the processing unit 110 may determine the VPNserver 120 with the lowest server penalty score as the optimal VPNserver. In another example, the processing unit 110 may determine thelist of optimal VPN servers by including, for example, three (or anyother number) VPN servers 120 with the three lowest server penaltyscores.

One or more components (e.g., API 106, user database 108, processingunit 110, and/or server database 116) included in the VSP controlinfrastructure 104 may further be associated with acontroller/processor, a memory, or a combination thereof. For instance,the one or more components of the set of components may include or maybe included in a controller/processor, a memory, or a combinationthereof. In some aspects, the one or more of the components included inthe VSP control infrastructure 104 may be separate and distinct fromeach other. Alternatively, in some aspects, one or more of thecomponents included in the VSP control infrastructure 104 may becombined with one or more of other components included in the VSPcontrol infrastructure 104. In some aspects, the one or more of thecomponents included in the VSP control infrastructure 104 may be localwith respect to each other. Alternatively, in some aspects, one or moreof the components included in the VSP control infrastructure 104 may belocated remotely with respect to one or more of other componentsincluded in the VSP control infrastructure 104. Additionally, oralternatively, one or more components of the components included in theVSP control infrastructure 104 may be implemented at least in part assoftware stored in a memory. For example, a component (or a portion of acomponent) may be implemented as instructions or code stored in anon-transitory computer-readable medium and executable by a controlleror a processor to perform the functions or operations of the component.Additionally, or alternatively, one or more components shown in FIG. 1may be configured to perform one or more functions described as beingperformed by another set of components shown in FIG. 1.

As indicated above, FIG. 1 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 1.

One or more user devices may establish respective VPN connections (e.g.,encrypted tunnels) with a VPN server. Based at least in part onestablishing the respective VPN connections, the VPN server and/or a VSPcontrol infrastructure, responsible for managing the primary VPN server,may assign an exit IP address to the one or more user devices. Duringthe established respective VPN connections (e.g., while the respectiveVPN connections remain established), the VPN server may use the exit IPaddress for communication of data associated with the one or more userdevices. For instance, during the established respective VPNconnections, the VPN server may use the exit IP address to receive andprovide data of interest, requested by the one or more user devices,from the open internet.

The exit IP address may be configured to communicate a threshold amountof data (e.g., data threshold). When the data communication using theexit IP address reaches an amount of data that satisfies the datathreshold (e.g., amount of communicated data is larger than the datathreshold), the VPN server may have to stop using the exit IP address tocommunicate data. In one example, a party on the open internet maytransmit a burst of data to the exit IP address (e.g., burst attack),thereby enabling the data communication using the exit IP address toreach the amount of data that satisfies the data threshold. In thiscase, the exit IP address may become overloaded, resulting in reducedbandwidth being available for data communication associated with the oneor more user devices. As a consequence, the one or more user devices mayreceive degraded service from the VPN server. To avoid providingdegraded service, the VPN server may have to stop using the exit IPaddress for data communication and, thereby, terminate the establishedrespective VPN connections. As a result, provision of VPN services tothe one or more user devices may be interrupted and the one or moreusers may be required to reestablish the respective VPN connections.Terminating the established respective VPN connections and requiring theone or more users to reestablish the respective VPN connections consumesresources associated with the VPN (e.g., computational resources,management resources, processing power, memory utilization, networkbandwidth, etc.) and user device resources (e.g., processing power,memory utilization, power consumption, battery life, etc.) that mayotherwise be used for performing preferred tasks related to therespective VPN connections.

Various aspects of systems and techniques discussed in the presentdisclosure enable reassigning exit IP addresses in a VPN server. In someaspects, a VPN server is enabled to reassign exit IP addresses byassigning a different exit IP address (e.g., second exit IP address) toone or more user devices having established respective VPN connectionswith the VPN server when a previously assigned exit IP address (e.g.,first exit IP address) to the one or more user devices becomesoverloaded. Using the second exit IP address for data communication mayenable the VPN server to provide uninterrupted communication (e.g.,reception and/or transmission) of data associated with the one or moreuser devices. In this way, the VPN server may reallocate one or moreuser devices to another exit IP address. As a result, the VPN server mayavoid providing degraded service to the one or more user devices and mayavoid having to terminate the established respective VPN connections.Additionally, resources associated with the VPN (e.g., computationalresources, management resources, processing power, memory utilization,network bandwidth, etc.) and user device resources (e.g., processingpower, memory utilization, power consumption, battery life, etc.) may beavailable for performing preferred tasks related to the respective VPNconnections.

In some aspects, the VPN server may activate the first exit IP addressfor communicating data associated with a user device having anestablished VPN connection. In some aspects, activating the first exitIP address may include selecting and/or assigning the first exit IPaddress, from among a plurality of exit IP addresses included in a poolof exit IP addresses available to the VPN server, for communication ofdata (e.g., data communication) associated with the user device. The VPNserver may deactivate, during the established VPN connection, the firstexit IP address based at least in part on determining that an amount ofdata communication associated with the first exit IP address satisfies adata threshold. In some aspects, deactivating the first exit IP addressmay include suspending, for a given duration of time, the use of thefirst exit IP address for communication of data associated with the userdevice. In some aspects, deactivating the first exit IP address mayinclude refraining from using, for the given duration of time, the firstexit IP address for communication of data associated with the userdevice. The VPN server may activate, during the established VPNconnection, a second exit IP address, different from the first exit IPaddress, for communicating data associated with the user device based atleast in part on deactivating the first exit IP address. In someaspects, activating the second exit IP address may include selectingand/or assigning the second exit IP address, from among the plurality ofexit IP addresses included in the pool of exit IP addresses available tothe VPN server, for communication of data associated with the userdevice. The VPN server may reactivate the first exit IP address based atleast in part on determining that the amount of data communicationassociated with the first exit IP address fails to satisfy the datathreshold (e.g., amount of data communication is equal to or less than(e.g., below) the data threshold).

FIG. 2 is an illustration of an example system 200 associated withreassigning of exit IP addresses in a VPN server, according to variousaspects of the present disclosure. The example system 200 may representan instance associated with a server location and may include a VPNserver 120, a router 220, and a network monitoring device 230 on aninternal side (e.g., VPN side) of a network boundary. Although a singleVPN server 120 has been shown in FIG. 2, the present disclosurecontemplates the example system 200 include any number of VPN servers120. The VPN server 120 may be in communication with a user device 102(not shown) having an established VPN connection with the VPN server120. The VPN server 120 may receive, for example, communication dataassociated with the user device 102 from a host device (not shown) on anexternal side (e.g., the open internet side) of the network boundary. Toreceive the communication data, the VPN server 120 may be associatedwith a plurality of exit IP addresses including, for example, a firstexit IP address, a second exit IP address, a third exit IP address, afourth exit IP address, and a fifth exit IP address. Each of the exit IPaddresses may be from among a plurality of exit IP addresses included ina pool of exit IP addresses available to the VPN server 120. Althoughfive exit IP addresses have been shown in FIG. 2, the present disclosurecontemplates any number of exit IP addresses to be available to the VPNserver 120. In some aspects, the exit IP addresses may be IPv4 IPaddress, IPv6 IP addresses, or the like.

In some aspects, the VPN server 120 may randomly select or sequentiallyselect an exit IP address from among the plurality of exit IP addressesincluded in the pool of exit IP addresses. Randomly selecting orsequentially selecting an exit IP address may include selecting an exitIP address according to, for example, an inverse sequential order, arandom sequential (random but higher) order, a random inverse (randombut lower) order, a random non-sequential (random but not next) order, atwo-step (random and then next) order, a random including current exitIP address order, a sequential discreet (at least n+2 steps, with nbeing an integer), and/or a random lower bound (random but only within aupper half, upper quartile, etc.) order. In some aspects, sequentiallyselecting the exit IP address may include selecting a next exit IPaddress from a predefined list of exit IP addresses.

In some aspects, the VPN server 120 may include the network monitoringdevice 230. In some aspects, the VPN server 120 and the networkmonitoring device 230 may be co-located (e.g., share a location).

The VPN server 120 may include an IP address managing device 210 forselecting and/or assigning an exit IP address, from among the pluralityof exit IP addresses, to communicate data associated with the userdevice 102. In some aspects, the IP address managing device 210 mayactivate, for example, the first exit IP address by selecting and/orassigning the first exit IP address to communicate data associated withthe user device 102. To activate the first exit IP address, the VPNserver 120 may use an internal firewall (e.g., nftable) to update sourcenetwork address translation (SNAT) rules such that the first exit IP isused for communicating data and/or set an internal connection trackingtable to select and/or assign the first exit IP address for being usedfor communicating data associated with the user device 102 (and/or anyother user device).

The router 220 may be responsible for communication of data across thenetwork boundary. The router 220 may be configured to monitor and recorddata traffic, including an amount of data communicated (e.g.,transmitted and/or received), associated with the VPN server 120. Therouter 220 may also be configured to retrieve and/or receive data fromthe VPN server 120 (e.g., in case of absence of other means to retrieveand/or receive the data). In some aspects, the router 220 may functionas a switch and be responsible for routing data received from anappropriate exit IP address of the VPN server 120 to, for example, thehost device on the open internet and for routing data received from thehost device on the open internet to the appropriate exit IP address ofthe VPN server 120. The network monitoring device 230 may be configuredto monitor an amount of data communicated to one or more exit IPaddresses. In some aspects, the network monitoring device 230 mayreceive sampled data from the router 220, the sampled data indicating anamount of data transferred by, or to be transferred by, the router 220to the one or more exit IP address. In some aspects, the sampled datamay be transmitted and/or received via an sFlow protocol, a Netflowprotocol, an IPFIX protocol, a Tera flow protocol, port mirroring, orany other mechanism able to communicate sampled data. In one example,the network monitoring device 230 may receive a sampled data from therouter 220, the sampled data indicating an amount of data routed by therouter 220 to the first exit IP address.

The network monitoring device 230 may also be configured to compare theindicated amount of data with a data threshold associated with the firstexit IP address. In some aspects, the data threshold may be associatedwith a maximum amount of data that the first exit IP address (or anyother exit IP address) may be configured to receive in a communication.In some aspects, the data threshold may be associated with apredetermined amount of data that the first exit IP address (or anyother exit IP address) may be configured to receive in a communicationand/or within a given time duration. In some aspects, the data thresholdmay be preset/predetermined and/or dynamically set during operation ofthe VPN server 120. In some aspects, the VPN server 120 may evaluatefactors such as, for example, a total amount of traffic associated withthe first exit IP address, an amount of load on a processor associatedwith the VPN server 120 based on traffic via the first exit IP address,an amount of user devices associated with the first exit IP address, orthe like to preset/predetermine and/or dynamically set the datathreshold. For instance, during operation, the VPN server 120 maycompare (e.g., continuously or at periodic intervals) the total amountof traffic to a limit amount of traffic that the first exit IP addressis configured to handle, the VPN server 120 may reduce the datathreshold before, for example, the first exit IP address becomessaturated.

During the established VPN connection, the VPN server 120 may receivecommunication data using the first exit IP address at, for example, afirst port associated with the first exit IP address. In an instance,the communication data may include a data burst to be routed to thefirst exit IP address, the data burst being transmitted by a host device(or any other source) on the open internet. The data burst may include aburst amount of data that satisfies the data threshold (e.g., the burstamount of data is larger than the data threshold). For instance, theburst amount of data may include an amount of data larger than thepredetermined amount of data that the first exit IP address (or anyother exit IP address) is configured to receive in a communicationand/or within a given time duration. Based at least in part on receivingthe data burst, the switch 220 may sample the burst amount of data andtransmit the sampled burst amount of data to the network monitoringdevice 230.

Based at least in part on receiving the sampled burst amount of data,the network monitoring device 230 may compare the sampled burst amountof data with the data threshold associated with the first exit IPaddress. Based at least in part on the comparison, the networkmonitoring device 230 may determine that the sample burst amount of datasatisfies the data threshold (e.g., the sample burst amount of data islarger than the data threshold) associated with the first exit IPaddress. Based at least in part on such a determination, the networkmonitoring device 230 may transmit a route update request associatedwith the first exit IP address to the router 220 via a border gatewayprotocol (BGP) request. In some aspects, the route update request mayindicate to internet service providers (ISPs) on the VPN side and theopen internet side to null-route data to be transmitted to the firstexit IP address (e.g., suspend transmitting data to the first exit IPaddress). In some aspects, the network monitoring device 230 may routethe route update request (e.g., BGP request) to the ISPs via the router220. In some aspects, the router 220 may be configured to null-route thefirst exit IP address when there is enough bandwidth on the VPN side toprocess the sampled burst amount of data. For instance, based at leastin part on receiving the route update request from the networkmonitoring device, the router 220 may drop communication data associatedwith the first exit IP address. In this way, the route update requestmay not have to be routed to the ISPs.

Additionally, or alternatively, the network monitoring device 230 maysubstantially simultaneously transmit, and the VPN server 120 mayreceive, a notification indicating that the data burst, which satisfiesthe data threshold associated with the first exit IP address has beenreceived (e.g., network event) to be routed, or has been routed, to thefirst exit IP address and/or that the first exit IP address has beennull-routed. The notification may indicate to the VPN server 120 thatdata communication associated with the first exit IP address is to besuspended. In some aspects, the network monitoring device 230 maytransmit, and the VPN server 120 may receive, the notification at the IPaddress managing device 210. In some aspects, the network monitoringdevice 230 may transmit, and the VPN server 120 may receive, thenotification at the port associated with the first exit IP address. Insome aspects, the network monitoring device 230 may utilize ananti-distributed denial of service (anti-DDoS) protocol and/or processto transmit the notification to the VPN server 120. In some aspects, thenetwork monitoring device 230 may transmit the notification using ahypertext transfer protocol (HTTP), a hypertext transfer protocol secure(HTTPS), a quick user datagram protocol (UDP) Internet Connection (QUIC)protocol, a simple network management protocol (SNMP), or anothersuitable protocol.

Based at least in part on receiving the notification from the networkmonitoring device 230, the VPN server 120 may determine that the databurst satisfying the data threshold associated with the first exit IPaddress has been received and/or that the first exit IP address has beennull routed, and that data communication associated with the first exitIP address is to be suspended. The VPN server 120 may deactivate, duringthe established VPN connection, the first exit IP address based at leastin part on such a determination. In some aspects, deactivating the firstexit IP address may include suspending, for a given duration of time,the use of the first exit IP address for communication of data. In someaspects, deactivating the first exit IP address may include refrainingfrom using, for the given duration of time, the first exit IP addressfor communication of data. To deactivate the first exit IP address, theVPN server 120 may use the internal firewall to update the SNAT rulessuch that the first exit IP is no longer used for communicating data,and/or clear the internal connection tracking table to unselect and/orunassign the first exit IP address from being used for communicatingdata associated with the user device 102 (and/or any other user device).

Based at least in part on deactivating the first exit IP address, duringthe established VPN connection, the VPN server 120 may activate thesecond exit IP address for communicating data associated with the userdevice 102. In some aspects, activating the second exit IP address mayinclude selecting and/or assigning the second exit IP address, fromamong the plurality of exit IP addresses included in the pool of exit IPaddresses available to the VPN server, for communication of dataassociated with the user device 102. To activate the second exit IPaddress, the VPN server 120 may use the internal firewall to update theSNAT rules such that the second exit IP is used for communicating data,and/or set the internal connection tracking table to select and/orassign the second exit IP address for being used for communicating dataassociated with the user device 102 (and/or any other user device). Insome aspects, reassigning exit IP addresses may include deactivating thefirst exit IP address and/or activating the second exit IP addressduring the established VPN connection for communicating data associatedwith the user device 102.

In some aspects, the null-routing of data may be temporary. Forinstance, based at least in part on transmitting the BGP request, thenetwork monitoring device 230 may start running a null timer for a givenduration of time (e.g., 30 seconds, 60 seconds, 90 seconds, 120 seconds,300 seconds, or the like). Based at least in part on an expiration ofthe null timer, the network monitoring device 230 may transmit anotherBGP request to the ISPs to end the null-routing of the data to betransmitted to the first exit IP address. Based at least in part onending of the null-routing, the router 220 may receive, from the ISPs,communication data associated with the first exit IP address, and maytransmit sampled data indicating an amount of data received for routingto the first exit IP address.

The network monitoring device 230 may compare the indicated amount ofdata with the data threshold associated with the first exit IP address,and determine whether the indicated amount of data satisfies the datathreshold. When the indicated amount of data satisfies the datathreshold, the network monitoring device may transmit a BGP request tothe ISPs to again null-route the data to be transmitted to the firstexit IP address. During this processing by the network monitoring device230, the VPN server 120 may continue to keep the first exit IP addressdeactivated. On the other hand, when the indicated amount of data failsto satisfy the data threshold (e.g., indicated amount of data is equalto or less than the data threshold), the network monitoring device 230may transmit, and the VPN server 120 may receive, another notificationindicating that the communication data, which fails to satisfy the datathreshold has been received (e.g., network event) to be routed to thefirst exit IP address and/or that the null-routing of the first exit IPaddress has ended. Based at least in part on receiving such anotification, the VPN server 120 may reactivate the first exit IPaddress, as discussed above with respect to FIG. 2.

In some aspects, based at least in part on receiving (e.g., a time ofreceipt of) the notification that the communication data, which fails tosatisfy the data threshold has been received to be routed to the firstexit IP address and/or that the null-routing of the first exit IPaddress has ended, the VPN server 120 may continue to use the secondexit IP address for data communication associated with data requestsreceived from the user device 102 prior to the reactivation of the firstexit IP address and may use the reactivated first exit IP address fordata communication associated with requests received after reactivationof the first exit IP address. In such situations, the VPN server 120 maysimultaneously use the first exit IP address and the second exit IPaddress to communicate data associated with user device 102. To do so,the VPN server 120 may use the internal firewall to update sourcenetwork address translation (SNAT) rules such that the first exit IPand/or the second exit IP address are used for communicating data,and/or set the internal connection tracking table to select and/orassign the first exit IP address and/or the second exit IP address forbeing used for communicating data associated with the user device 102(and/or any other user device). In some aspects, based at least in parton determining that a data request (or all data requests) received priorto reactivation of the first exit IP address has been fulfilled, the VPNserver 120 may use the internal firewall to update the SNAT rules suchthat the first exit IP and/or the second exit IP address are used forcommunicating data, but set the internal connection tracking table toselect and/or assign only the first exit IP address for being used forcommunicating data associated with the user device 102 (and/or any otheruser device). In this way, the second exit IP address may be madeavailable to communicate data associated with other user devices. Insome aspects, the second exit IP address may be unselected from beingused to communicated data associated with the user device based at leastin part on reactivating the first exit IP address.

In some aspects, the VPN server 120 may start running an activationtimer, internal to the VPN sever 120, based at least in part onreceiving the notification indicating that the communication dataassociated with the first exit IP address fails to satisfy the datathreshold from the network monitoring device 230. The start running ofthe activation timer may be at a substantially similar time as the startrunning of the null timer. The activation timer may run for a durationof time (e.g., 60 seconds, 120 seconds, 180 seconds, 240 seconds, 600seconds, or the like) greater than the duration of time of the nulltimer. After receiving the notification indicating that thecommunication data associated with the first exit IP address fails tosatisfy the data threshold, the VPN server 120 may wait until anexpiration of the activation timer to reactivate the first exit IPaddress.

In this way, by deactivating, during the established VPN connection, thefirst exit IP address based at least in part on determining that theamount of data communication associated with the first exit IP addresssatisfies the data threshold, and activating, during the established VPNconnection, the second exit IP address for communicating data associatedwith the user device based at least in part on deactivating the firstexit IP address, enables the VPN server 120 to provide uninterruptedcommunication of data associated with one or more user devices. As aresult, the VPN server may avoid providing degraded service to the oneor more user devices and may avoid having to terminate establishedrespective VPN connections. Additionally, VPN resources (e.g.,processing power, memory utilization, network bandwidth, etc.) and userdevice resources (e.g., processing power, memory utilization, powerconsumption, battery life, etc.) may be available for performingsuitable tasks related to the respective VPN connections.

As indicated above, FIG. 2 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 2.

FIG. 3 is an illustration of an example flow 300 associated withreassigning exit IP addresses in a VPN, according to various aspects ofthe present disclosure. Example flow 300 includes a VPN server 120, arouter 220, and a network monitoring device 230 in communication witheach other. In some aspects, a user device 102 (not shown) may have anestablished VPN connection with the VPN server 120 and may communicatewith the VPN server 120 over a network (e.g., network 122). The VPNserver 120 may receive, for example, communication data associated withthe user device 102 from the router 220, as discussed elsewhere herein.To receive the communication data, the VPN server 120 may utilize afirst exit IP address. The network monitoring device 230 may communicatemessages (e.g., sampled data) and/or route update requests with therouter 220 and may communicate notifications with the VPN server 120.The messages may be communicated using an sFlow protocol and the routeupdate requests may be communicated using a border gateway protocol(BGP). The notifications may be communicated via HTTP, HTTPS, QUIC,SNMP, or another suitable protocol, as discussed elsewhere herein.

As shown by reference numeral 310, the router 220 may transmit, and thenetwork monitoring device 230 may receive, a message (e.g., sFlowmessage) indicating a sampled burst amount of data associated with thefirst exit IP address, as discussed above with respect to FIG. 2. Basedat least in part on receiving the message, the network monitoring device230 may determine that the sampled burst amount of data satisfies thedata threshold (e.g., the burst amount of data is larger than the datathreshold) associated with the first exit IP address, as discussed abovewith respect to FIG. 2. Based at least in part on such a determination,as shown by reference numeral 320, the network monitoring device 230 maytransmit, and the router 220 may receive, a route update request (e.g.,a BGP request) associated with null-routing the first exit IP address,as discussed above with respect to FIG. 2. In some aspects, the BGPrequest is to be routed to associated ISPs, as discussed above withrespect to FIG. 2. Substantially simultaneously, the network monitoringdevice 230 may transmit, and the VPN server 120 may receive, anotification indicating that the data burst, which satisfies the datathreshold associated with the first exit IP address has been received(e.g., network event) to be routed to the first exit IP address and/orthat the first exit IP address has been null-routed, as discussed abovewith respect to FIG. 2. Based at least in part on receiving thenotification, as shown by reference numeral 330, the VPN server 120 maydeactivate the first exit IP address and may activate a second exit IPaddress, as discussed above with respect to FIG. 2.

As shown by reference numeral 340, the network monitoring device 230 maytransmit, and the router 220 may receive, another BGP request to therouter 220 to end the null-routing of the data to be transmitted to thefirst exit IP address, as discussed above with respect to FIG. 2. Basedat least in part on transmitting another BGP request, as shown byreference numeral 350, the router 220 may transmit, and the networkmonitoring device 230 may receive, another message (e.g., sFlow message)indicating, for example, that the communication data associated with thefirst exit IP address continues to satisfy the data threshold, asdiscussed above with respect to FIG. 2. In this case, the networkmonitoring device 230 may restart the null timer. Alternatively, basedat least in part on transmitting another BGP request, the router 220 maytransmit, and the network monitoring device 230 may receive, anothermessage (e.g., sFlow message) indicating, for example, that thecommunication data associated with the first exit IP address fails tosatisfy the data threshold. In this case, as shown by reference numeral360, the network monitoring device 230 may transmit, and the VPN server120 may receive, another notification (optional) indicating that thecommunication data, which fails to satisfy the data threshold has beenreceived to be routed to the first exit IP address and/or that thenull-routing of the first exit IP address has ended. Based at least inpart on receiving such notification, as shown by reference numeral 370,the VPN server 120 may reactivate the first exit IP address anddeactivate the second exit IP address, as discussed above with respectto FIG. 2.

As indicated above, FIG. 3 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 3.

FIG. 4 is an illustration of an example process 400 associated withreassigning exit IP addresses in a VPN, according to various aspects ofthe present disclosure. In some aspects, the process 400 may beperformed by a memory (e.g., memory 730) and a processor (e.g.,processor 720) associated with a VPN server (e.g., VPN server 120). Asshown by reference numeral 410, process 400 includes activating a firstexit IP address for communicating data associated with a user devicehaving an established VPN connection. For instance, the VPN server mayutilize an associated processor/controller (e.g., processor 720) toactivate a first exit IP address for communicating data associated witha user device having an established VPN connection, as discussedelsewhere herein.

As shown by reference numeral 420, process 400 includes deactivating,during the established VPN connection, the first exit IP address basedat least in part on determining that an amount of data communicationassociated with the first exit IP address satisfies a data threshold.For instance, the VPN server may utilize the associated memory andprocessor to deactivate, during the established VPN connection, thefirst exit IP address based at least in part on determining that anamount of data communication associated with the first exit IP addresssatisfies a data threshold, as discussed elsewhere herein.

As shown by reference numeral 430, process 400 includes activating,during the established VPN connection, a second exit IP address,different from the first exit IP address, for communicating dataassociated with the user device based at least in part on deactivatingthe first exit IP address. For instance, the VPN server may utilize theassociated memory and processor to activate, during the established VPNconnection, a second exit IP address, different from the first exit IPaddress, for communicating data associated with the user device based atleast in part on deactivating the first exit IP address.

Process 400 may include additional aspects, such as any single aspect orany combination of aspects described below and/or in connection with oneor more other processes described elsewhere herein.

In a first aspect, wherein process 400 includes reactivating the firstexit IP address based at least in part on determining that the amount ofdata communication associated with the first exit IP address fails tosatisfy the data threshold. In some aspects, the second exit IP addressmay be unselected from being used to communicate data associated withthe user device based at least in part on reactivating the first exit IPaddress.

In a second aspect, alone or in combination with the first aspect,wherein, in process 400, determining that the amount of datacommunication associated with the first exit IP address satisfies thedata threshold includes receiving a notification that indicates that theamount of data communication associated with the first exit IP addresssatisfies the data threshold.

In a third aspect, alone or in combination with the first through secondaspects, wherein, in process 400, determining that the amount of datacommunication associated with the first exit IP address satisfies thedata threshold includes receiving, at the first exit IP address, anotification that indicates that the amount of data communicationassociated with the first exit IP address satisfies the data threshold.

In a fourth aspect, alone or in combination with the first through thirdaspects, wherein, in process 400, determining that the amount of datacommunication associated with the first exit IP address satisfies thedata threshold includes receiving, via a hypertext transfer protocol(HTTP) message, a notification that indicates that the amount of datacommunication associated with the first exit IP address satisfies thedata threshold.

In a fifth aspect, alone or in combination with the first through fourthaspects, wherein, in process 400, deactivating the first exit IP addressincludes deactivating the first exit IP address for a given duration oftime.

In a sixth aspect, alone or in combination with the first through fifthaspects, wherein, in process 400, deactivating the first exit IP addressincludes extending deactivation of the first exit IP address based atleast in part on determining, after a given duration of time, that theamount of data communication associated with the first exit IP addresscontinues to satisfy the data threshold.

Although FIG. 4 shows example blocks of the process, in some aspects,the process may include additional blocks, fewer blocks, differentblocks, or differently arranged blocks than those depicted in FIG. 4.Additionally, or alternatively, two or more of the blocks of the processmay be performed in parallel.

As indicated above, FIG. 4 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 4.

FIG. 5 is an illustration of an example process 500 associated withreassigning exit IP addresses in a VPN, according to various aspects ofthe present disclosure. In some aspects, the process 500 may beperformed by a memory (e.g., memory 730) and a processor (e.g.,processor 720) associated with a VPN server (e.g., VPN server 120). Asshown by reference numeral 510, process 500 includes selecting a firstexit IP address for communicating data associated with a user devicehaving an established VPN connection. For instance, the VPN server mayutilize the associated memory and processor to select a first exit IPaddress for communicating data associated with a user device having anestablished VPN connection, as discussed elsewhere herein.

As shown by reference numeral 520, process 500 includes receiving anotification that indicates occurrence of a network event associatedwith the first exit IP address. For instance, the VPN server may utilizean associated communication interface (e.g., communication interface770) along with the associated memory and processor to receive anotification that indicates occurrence of a network event associatedwith the first exit IP address, as discussed elsewhere herein.

As shown by reference numeral 530, process 500 includes communicating,during the established VPN connection, data associated with the userdevice using a second exit IP address, different from the first exit IPaddress. For instance, the VPN server may utilize the associatedcommunication interface and the associated memory and processor tocommunicate (e.g., transmit and/or receive), during the established VPNconnection, data associated with the user device using a second exit IPaddress, different from the first exit IP address, as discussedelsewhere herein.

Process 500 may include additional aspects, such as any single aspect orany combination of aspects described below and/or in connection with oneor more other processes described elsewhere herein.

In a first aspect, wherein process 500 includes deactivating the firstexit IP address for a given duration of time based at least in part onreceiving the notification.

In a second aspect, alone or in combination with the first aspect,process 500 includes deactivating the first exit IP address for a givenduration of time based at least in part on receiving the notification;and reactivating the first exit IP address at an expiration of the givenduration of time or extending deactivation of the first exit IP addressbased at least in part on receiving another notification prior to theexpiration of the given duration of time.

In a third aspect, alone or in combination with the first through secondaspects, process 500 includes deactivating the first exit IP addressbased at least in part on receiving the notification that indicatesoccurrence of an amount of data communication associated with the firstexit IP address satisfying a data threshold, and reactivating the firstexit IP address based at least in part on receiving another notificationthat indicates occurrence of the amount of data communication associatedwith the first exit IP address failing to satisfy the data threshold.

In a fourth aspect, alone or in combination with the first through thirdaspects, in process 500, receiving the notification includes receivingthe notification that indicates communication of an amount of datacommunication associated with the first exit IP address satisfying adata threshold.

In a fifth aspect, alone or in combination with the first through fourthaspects, in process 500, receiving the notification includes receivingthe notification at a port associated with the first exit IP address.

In a sixth aspect, alone or in combination with the first through fifthaspects, in process 500, receiving the notification includes receivingthe notification via a hypertext transfer protocol (HTTP) message.

In a sixth aspect, alone or in combination with the first through fifthaspects, process 500 includes selecting, during the established VPNconnection, the second exit IP address for communicating data associatedwith the user device based at least in part on receiving thenotification.

Although FIG. 5 shows example blocks of the process, in some aspects,the process may include additional blocks, fewer blocks, differentblocks, or differently arranged blocks than those depicted in FIG. 5.Additionally, or alternatively, two or more of the blocks of the processmay be performed in parallel.

As indicated above, FIG. 5 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 5.

FIG. 6 is an illustration of an example process 600 associated withreassigning exit IP addresses in a VPN, according to various aspects ofthe present disclosure. In some aspects, the process 600 may beperformed by a memory (e.g., memory 730) and a processor (e.g.,processor 720) associated with a VPN server (e.g., VPN server 120). Asshown by reference numeral 610, process 600 includes receiving a messageindicating an amount of communication data associated with a first exitIP address. For instance, the VPN server may utilize an associatedcommunication interface (e.g., communication interface 770) along withthe memory and processor to receive a message indicating an amount ofcommunication data associated with a first exit IP address, as discussedelsewhere herein.

As shown by reference numeral 620, process 600 includes determining thatthe amount of communication data satisfies a data threshold associatedwith the first exit IP address. For instance, the VPN server may utilizethe associated memory and processor to determine that the amount ofcommunication data satisfies a data threshold associated with the firstexit IP address, as discussed elsewhere herein.

As shown by reference numeral 630, process 600 includes transmitting,based at least in part on the determining, a notification indicatingthat the amount of communication data satisfies the data threshold. Forinstance, the VPN server may utilize an associated communicationinterface (e.g., communication interface 770) along with the associatedmemory and processor to transmit, based at least in part on thedetermining, a notification indicating that the amount of communicationdata satisfies the data threshold, as discussed elsewhere herein.

Process 600 may include additional aspects, such as any single aspect orany combination of aspects described below and/or in connection with oneor more other processes described elsewhere herein.

In a first aspect, process 600 includes transmitting, via a bordergateway protocol to a source of the communication data, a request tosuspend communication of data associated with the first exit IP address.

In a second aspect, alone or in combination with the first aspect, inprocess 600, receiving the message includes receiving the message via ansflow protocol.

In a third aspect, alone or in combination with the first through secondaspects, in process 600, transmitting the notification includestransmitting the notification via a hypertext transfer protocol (HTTP).

In a fourth aspect, alone or in combination with the first through thirdaspects, in process 600, transmitting the notification includestransmitting the notification to indicate that data communicationutilizing the first exit IP address is to be suspended.

In a fifth aspect, alone or in combination with the first through fourthaspects, in process 600, determining that the amount of communicationdata satisfies the data threshold includes comparing the amount ofcommunication data with a threshold amount of data associated with thefirst exit IP address.

In a sixth aspect, alone or in combination with the first through fifthaspects, process 600 includes receiving the message includes receivingthe message from a switch configured to route the communication data tothe first exit IP address; and transmitting the notification includestransmitting the notification to a VPN server associated with the firstexit IP address.

Although FIG. 6 shows example blocks of the process, in some aspects,the process may include additional blocks, fewer blocks, differentblocks, or differently arranged blocks than those depicted in FIG. 6.Additionally, or alternatively, two or more of the blocks of the processmay be performed in parallel.

As indicated above, FIG. 6 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 6.

FIG. 7 is an illustration of example devices 700, according to variousaspects of the present disclosure. In some aspects, the example devices700 may form part of or implement the systems, environments,infrastructures, components, devices or the like described elsewhereherein (e.g., VPN server, IP address rotating device, encryption device,etc.). The example devices 700 may include a universal bus 710communicatively coupling a processor 720, a memory 730, a storagecomponent 740, an input component 750, an output component 760, and acommunication interface 770.

Bus 710 may include a component that permits communication amongmultiple components of a device 700. Processor 720 may be implemented inhardware, firmware, and/or a combination of hardware and software.Processor 720 may take the form of a central processing unit (CPU), agraphics processing unit (GPU), an accelerated processing unit (APU), amicroprocessor, a microcontroller, a digital signal processor (DSP), afield-programmable gate array (FPGA), an application-specific integratedcircuit (ASIC), or another type of processing component. In someaspects, processor 720 may include one or more processors capable ofbeing programmed to perform a function. Memory 730 may include a randomaccess memory (RAM), a read only memory (ROM), and/or another type ofdynamic or static storage device (e.g., a flash memory, a magneticmemory, and/or an optical memory) that stores information and/orinstructions for use by processor 720.

Storage component 740 may store information and/or software related tothe operation and use of a device 700. For example, storage component740 may include a hard disk (e.g., a magnetic disk, an optical disk,and/or a magneto-optic disk), a solid state drive (SSD), a compact disc(CD), a digital versatile disc (DVD), a floppy disk, a cartridge, amagnetic tape, and/or another type of non-transitory computer-readablemedium, along with a corresponding drive.

Input component 750 may include a component that permits a device 700 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, and/or amicrophone). Additionally, or alternatively, input component 750 mayinclude a component for determining location (e.g., a global positioningsystem (GPS) component) and/or a sensor (e.g., an accelerometer, agyroscope, an actuator, another type of positional or environmentalsensor, and/or the like). Output component 760 may include a componentthat provides output information from device 700 (via, for example, adisplay, a speaker, a haptic feedback component, an audio or visualindicator, and/or the like).

Communication interface 770 may include a transceiver-like component(e.g., a transceiver, a separate receiver, a separate transmitter,and/or the like) that enables a device 700 to communicate with otherdevices, such as via a wired connection, a wireless connection, or acombination of wired and wireless connections. Communication interface770 may permit device 700 to receive information from another deviceand/or provide information to another device. For example, communicationinterface 770 may include an Ethernet interface, an optical interface, acoaxial interface, an infrared interface, a radio frequency (RF)interface, a universal serial bus (USB) interface, a Wi-Fi interface, acellular network interface, and/or the like.

A device 700 may perform one or more processes described elsewhereherein. A device 700 may perform these processes based on processor 720executing software instructions stored by a non-transitorycomputer-readable medium, such as memory 730 and/or storage component740. As used herein, the term “computer-readable medium” may refer to anon-transitory memory device. A memory device may include memory spacewithin a single physical storage device or memory space spread acrossmultiple physical storage devices.

Software instructions may be read into memory 730 and/or storagecomponent 740 from another computer-readable medium or from anotherdevice via communication interface 770. When executed, softwareinstructions stored in memory 730 and/or storage component 740 may causeprocessor 720 to perform one or more processes described elsewhereherein. Additionally, or alternatively, hardware circuitry may be usedin place of or in combination with software instructions to perform oneor more processes described elsewhere herein. Thus, implementationsdescribed herein are not limited to any specific combination of hardwarecircuitry and software.

The quantity and arrangement of components shown in FIG. 7 are providedas an example. In practice, a device 700 may include additionalcomponents, fewer components, different components, or differentlyarranged components than those shown in FIG. 7. Additionally, oralternatively, a set of components (e.g., one or more components) of adevice 700 may perform one or more functions described as beingperformed by another set of components of a device 700.

As indicated above, FIG. 7 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 7.

Persons of ordinary skill in the art will appreciate that the aspectsencompassed by the present disclosure are not limited to the particularexemplary aspects described herein. In that regard, althoughillustrative aspects have been shown and described, a wide range ofmodification, change, and substitution is contemplated in the foregoingdisclosure. It is understood that such variations may be made to theaspects without departing from the scope of the present disclosure.Accordingly, it is appropriate that the appended claims be construedbroadly and in a manner consistent with the present disclosure.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the aspects to the preciseform disclosed. Modifications and variations may be made in light of theabove disclosure or may be acquired from practice of the aspects.

As used herein, the term “component” is intended to be broadly construedas hardware, firmware, or a combination of hardware and software. Asused herein, a processor is implemented in hardware, firmware, or acombination of hardware and software.

As used herein, satisfying a threshold may, depending on the context,refer to a value being greater than the threshold, greater than or equalto the threshold, less than the threshold, less than or equal to thethreshold, equal to the threshold, or not equal to the threshold, amongother examples, or combinations thereof.

It will be apparent that systems or methods described herein may beimplemented in different forms of hardware, firmware, or a combinationof hardware and software. The actual specialized control hardware orsoftware code used to implement these systems or methods is not limitingof the aspects. Thus, the operation and behavior of the systems ormethods were described herein without reference to specific softwarecode—it being understood that software and hardware can be designed toimplement the systems or methods based, at least in part, on thedescription herein.

Even though particular combinations of features are recited in theclaims or disclosed in the specification, these combinations are notintended to limit the disclosure of various aspects. In fact, many ofthese features may be combined in ways not specifically recited in theclaims or disclosed in the specification. Although each dependent claimlisted below may directly depend on only one claim, the disclosure ofvarious aspects includes each dependent claim in combination with everyother claim in the claim set. A phrase referring to “at least one of” alist of items refers to any combination of those items, including singlemembers. As an example, “at least one of: a, b, or c” is intended tocover a, b, c, a-b, a-c, b-c, and a-b-c, as well as any combination withmultiples of the same element (for example, a-a, a-a-a, a-a-b, a-a-c,a-b-b, a-c-c, b-b, b-b-b, b-b-c, c-c, and c-c-c or any other ordering ofa, b, and c).

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Further, asused herein, the article “the” is intended to include one or more itemsreferenced in connection with the article “the” and may be usedinterchangeably with “the one or more.” Furthermore, as used herein, theterm “set” is intended to include one or more items (e.g., relateditems, unrelated items, a combination of related and unrelated items,etc.), and may be used interchangeably with “one or more.” Where onlyone item is intended, the phrase “only one” or similar language is used.Also, as used herein, the terms “has,” “have,” “having,” or the like areintended to be open-ended terms. Further, the phrase “based on” isintended to mean “based, at least in part, on” unless explicitly statedotherwise. Also, as used herein, the term “or” is intended to beinclusive when used in a series and may be used interchangeably with“and/or,” unless explicitly stated otherwise (e.g., if used incombination with “either” or “only one of”).

What is claimed is:
 1. A method for reassigning exit internet protocol(IP) addresses in a virtual private network (VPN), the methodcomprising: activating, by a VPN server, a first exit IP addressavailable to the VPN server for communicating data associated with auser device having an established VPN connection with the VPN server;deactivating, by the VPN server during the established VPN connection,the first exit IP address based at least in part on determining that anamount of data communication associated with the first exit IP addresssatisfies a data threshold; and activating, by the VPN server during theestablished VPN connection, a second exit IP address available to theVPN server, the second exit IP address being different from the firstexit IP address, for communicating data associated with the user devicebased at least in part on deactivating the first exit IP address.
 2. Themethod of claim 1, further comprising: reactivating the first exit IPaddress based at least in part on determining that the amount of datacommunication associated with the first exit IP address fails to satisfythe data threshold.
 3. The method of claim 1, wherein determining thatthe amount of data communication associated with the first exit IPaddress satisfies the data threshold includes receiving a notificationthat indicates that the amount of data communication associated with thefirst exit IP address satisfies the data threshold.
 4. The method ofclaim 1, wherein determining that the amount of data communicationassociated with the first exit IP address satisfies the data thresholdincludes receiving, at the first exit IP address, a notification thatindicates that the amount of data communication associated with thefirst exit IP address satisfies the data threshold.
 5. The method ofclaim 1, wherein determining that the amount of data communicationassociated with the first exit IP address satisfies the data thresholdincludes receiving a notification that indicates that the amount of datacommunication associated with the first exit IP address satisfies thedata threshold, the notification being received via a hypertext transferprotocol (HTTP) message, a HTTP secure (HTTPS) message, a quick userdatagram protocol Internet Connection (QUIC) protocol message, or asimple network management protocol (SNMP) message.
 6. The method ofclaim 1, wherein deactivating the first exit IP address includesdeactivating the first exit IP address for a given duration of time. 7.The method of claim 1, wherein deactivating the first exit IP addressincludes extending deactivation of the first exit IP address based atleast in part on determining, after a given duration of time, that theamount of data communication associated with the first exit IP addresscontinues to satisfy the data threshold.
 8. A device associated with avirtual private network (VPN) server for reassigning exit internetprotocol (IP) addresses in a VPN, the device comprising: a memory; and aprocessor communicatively coupled to the memory, the memory and theprocessor being configured to: activate a first exit IP addressavailable to the VPN server for communicating data associated with auser device having an established VPN connection with the VPN server;deactivate, during the established VPN connection, the first exit IPaddress based at least in part on determining that an amount of datacommunication associated with the first exit IP address satisfies a datathreshold; and activate, during the established VPN connection, a secondexit IP address available to the VPN server, the second exit IP addressbeing different from the first exit IP address, for communicating dataassociated with the user device based at least in part on deactivatingthe first exit IP address.
 9. The device of claim 8, wherein the memoryand the processor are configured to: reactivate the first exit IPaddress based at least in part on determining that the amount of datacommunication associated with the first exit IP address fails to satisfythe data threshold.
 10. The device of claim 8, wherein, to determinethat the amount of data communication associated with the first exit IPaddress satisfies the data threshold, the memory and the processor areconfigured to receive a notification that indicates that the amount ofdata communication associated with the first exit IP address satisfiesthe data threshold.
 11. The device of claim 8, wherein, to determinethat the amount of data communication associated with the first exit IPaddress satisfies the data threshold, the memory and the processor areconfigured to receive, at the first exit IP address, a notification thatindicates that the amount of data communication associated with thefirst exit IP address satisfies the data threshold.
 12. The device ofclaim 8, wherein, to determine that the amount of data communicationassociated with the first exit IP address satisfies the data threshold,the memory and the processor are configured to receive a notificationthat indicates that the amount of data communication associated with thefirst exit IP address satisfies the data threshold, the notificationbeing received via a hypertext transfer protocol (HTTP) message, a HTTPsecure (HTTPS) message, a quick user datagram protocol InternetConnection (QUIC) protocol message, or a simple network managementprotocol (SNMP) message.
 13. The device of claim 8, wherein, todeactivate the first exit IP address, the memory and the processor areconfigured to deactivate the first exit IP address for a given durationof time.
 14. The device of claim 8, wherein the memory and the processorare configured to extend deactivation of the first exit IP address basedat least in part on determining, after a given duration of time, thatthe amount of data communication associated with the first exit IPaddress continues to satisfy the data threshold.
 15. A non-transitorycomputer-readable medium configured to store instructions, which whenexecuted by a processor associated with a virtual private network (VPN)server, cause the processor to: activate a first exit internet protocol(IP) address available to the VPN server for communicating dataassociated with a user device having an established VPN connection withthe VPN server; deactivate, during the established VPN connection, thefirst exit IP address based at least in part on determining that anamount of data communication associated with the first exit IP addresssatisfies a data threshold; and activate, during the established VPNconnection, a second exit IP address available to the VPN server, thesecond exit IP address being different from the first exit IP address,for communicating data associated with the user device based at least inpart on deactivating the first exit IP address.
 16. The non-transitorycomputer-readable medium of claim 15, wherein the processor isconfigured to: reactivate the first exit IP address based at least inpart on determining that the amount of data communication associatedwith the first exit IP address fails to satisfy the data threshold. 17.The non-transitory computer-readable medium of claim 15, wherein, todetermine that the amount of data communication associated with thefirst exit IP address satisfies the data threshold, the processor isconfigured to receive a notification that indicates that the amount ofdata communication associated with the first exit IP address satisfiesthe data threshold.
 18. The non-transitory computer-readable medium ofclaim 15, wherein, to determine that the amount of data communicationassociated with the first exit IP address satisfies the data threshold,the processor is configured to receive, at the first exit IP address, anotification that indicates that the amount of data communicationassociated with the first exit IP address satisfies the data threshold.19. The non-transitory computer-readable medium of claim 15, wherein, todetermine that the amount of data communication associated with thefirst exit IP address satisfies the data threshold, the processor isconfigured to receive a notification that indicates that the amount ofdata communication associated with the first exit IP address satisfiesthe data threshold, the notification being received via a hypertexttransfer protocol (HTTP) message, a HTTP secure (HTTPS) message, a quickuser datagram protocol Internet Connection (QUIC) protocol message, or asimple network management protocol (SNMP) message.
 20. Thenon-transitory computer-readable medium of claim 15, wherein, todeactivate the first exit IP address, the processor is configured todeactivate the first exit IP address for a given duration of time.